|
|
@@ -83,12 +83,14 @@ composites { |
|
|
|
expression = "(HAS_X_POS | HAS_PHPMAILER_SIG) & HAS_WP_URI & (PHISHING | CRACKED_SURBL | PH_SURBL_MULTI | DBL_PHISH | DBL_ABUSE_PHISH | URIBL_BLACK | PHISHED_OPENPHISH | PHISHED_PHISHTANK)"; |
|
|
|
description = "Phish message sent by hacked Wordpress instance"; |
|
|
|
policy = "leave"; |
|
|
|
group = "compromised_hosts"; |
|
|
|
} |
|
|
|
COMPROMISED_ACCT_BULK { |
|
|
|
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & DCC_BULK"; |
|
|
|
description = "Likely to be from a compromised account"; |
|
|
|
score = 3.0; |
|
|
|
policy = "leave"; |
|
|
|
group = "compromised_hosts"; |
|
|
|
} |
|
|
|
UNDISC_RCPTS_BULK { |
|
|
|
expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)"; |
|
|
@@ -167,6 +169,7 @@ composites { |
|
|
|
score = 4.0; |
|
|
|
policy = "leave"; |
|
|
|
description = "Message exhibits strong characteristics of advance fee fraud (AFF a/k/a '419' spam) involving freemail addresses"; |
|
|
|
group = "scams"; |
|
|
|
} |
|
|
|
REDIRECTOR_URL_ONLY { |
|
|
|
expression = "HFILTER_URL_ONLY & REDIRECTOR_URL"; |
|
|
@@ -174,11 +177,17 @@ composites { |
|
|
|
policy = "leave"; |
|
|
|
description = "Message only contains a redirector URL"; |
|
|
|
} |
|
|
|
THREAD_HIJACKING_FROM_INJECTOR { |
|
|
|
expression = "FAKE_REPLY & RCVD_VIA_SMTP_AUTH & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL)"; |
|
|
|
SUSPICIOUS_AUTH_ORIGIN { |
|
|
|
expression = "(HAS_XOIP | RCVD_FROM_SMTP_AUTH) & (!RECEIVED_SPAMHAUS_PBL | RECEIVED_SPAMHAUS_XBL | RECEIVED_SPAMHAUS_SBL | RECEIVED_BLOCKLISTDE)"; |
|
|
|
score = 0.0; |
|
|
|
policy = "leave"; |
|
|
|
description = "Message authenticated, but from a suspicios origin (potentially an injector)"; |
|
|
|
} |
|
|
|
ABUSE_FROM_INJECTOR { |
|
|
|
expression = "SUSPICIOUS_AUTH_ORIGIN & (FAKE_REPLY | HAS_IPFS_GATEWAY_URL | HTML_SHORT_LINK_IMG_1)"; |
|
|
|
score = 2.0; |
|
|
|
policy = "leave"; |
|
|
|
description = "Fake reply exhibiting characteristics of being injected into a compromised mail server, possibly e-mail thread hijacking"; |
|
|
|
description = "Message is sent from a suspicios origin and showing signs of abuse, likely spam injected in compromised account"; |
|
|
|
group = "compromised_hosts"; |
|
|
|
} |
|
|
|
SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE { |